How hacks on Dept. of Treasury sites were detected

Thursday - 5/6/2010, 8:00pm EDT

Cybersecurity Update - Tune in weekdays at 30 minutes past the hour for the latest cybersecurity news on The Federal Drive with Tom Temin and Jane Norris (6-10 a.m.) and The Daily Debrief with Chris Dorobek and Amy Morris (3-7 p.m.). Listen live at FederalNewsRadio.com or on the radio at 1500 and 820 AM in the Washington, D.C. metro area.


By Dorothy Ramienski
Internet Editor
Federal News Radio

Four public websites for the Bureau of Engraving and Printing that were hacked into and taken offline earlier this week were hosted in the cloud, prompting some officials to raise concerns about the overall security of cloud computing.

On Monday, The Daily Debrief told you about a blog post from Roger Thompson, chief research officer for AVG. He explained that bep.gov, bep.treas.gov and moneyfactory.gov had been script injected.

The Department of the Treasury took the sites down and fixed the problem soon after it was discovered.

Thompson told The Daily Debrief how he and others at AVG found the attack in the first place.

"We have a product called LinkScanner, which is run by about 120 million people around the world, and about 50 percent of the users tell us if they find something strange. We have some alerts set up that tell us if it's something that might be critical, such a gov site."

After the alert system goes off, Thompson said software sorts through the alerts and brings them to ABG's attention. Then they are checked by hand to determine if they are real attacks or false alarms.

Kind of attack can be difficult to detect.

"We have a sacrificial goat PC, and we visit [that]. It's a vulnerable PC. So, we visit the site pretending that we're a vulnerable PC and we have all sorts of change-detection software that's very good at spotting even a small change that's made to the system by an attacking website. We capture a packet trace of everything that happens, so we have proof if something happens."

The attackers took users who visited the Treasury sites and forced them to a rotator site in the Ukraine.

"The job of the rotator site is to decide where it's going to send you [next]. They do that to keep people guessing and to make it hard to block the real attack site. You end up seeing the real attack site, but it's the rotator that's hard to spot because it's gone in a flash, unless you've got a packet sniff."

Thompson said generally these types of schemes are done for two reasons: to make money or own an attacked computer. Once they own a victim's computer, they can pretty much do what they want, including stealing user IDs and passwords.

The attacks have made some nervous for a different reason, though. The sites were hosted in the cloud, and some are wondering if this made them more vulnerable. Thompson said, probably not.

"It's a Web problem. Viruses and malicious code have been around for a long time. They go through stages. They'll have some way of doing things, and then they'll be some extinction level event. Something happens. The operating systems change or people turn on their firewalls by default -- something happens and that class of malware ceases to be a problem. The latest extinction level event was with XP service pack 2, when the firewall was turned on by default in 2004. That meant [hackers] could no longer force their way in, so they found a new way, which is the Web."

The reason Web attacks are so prevelant now mainly has to do with the fact that almost every website is built inside of a firewall, and therefore is born with a trusted connection.

Unfortunately, Thompson said, there is no easy answer, though there are many things one can do to keep a site safe.

"You absolutely have to stay patched. If you're a consumer, you want some anti-malware software that deals specifically with the Web, because that's where it's all coming from at the moment. That's for consumers -- that's what they've got to do -- but it's hard for the website developers because this stuff was actually coming from a third party site. They were drawing content in from somewhere else. So, it becomes like the weakest link in the chain. They did everything right, quite likely, but one of their partners did not."